gdbus - caller authentication

David Sommerseth dbus at lists.topphemmelig.net
Mon Aug 21 16:20:51 UTC 2017


Hi,

Working on enhancing the security aspects of the new OpenVPN 3 client
I'm working on.  Now I've come to the area of authentication of
unprivileged users.  I might use the wrong terminology, so please bear
with me and educate me.


* Background
A configuration manager is activated automatically by the dbus-daemon
when its service is needed.  It provides its service on the system bus
and runs with an unprivileged UID/GID.

The configuration manager is responsible for keeping/storing
configuration data for both short term and long term (persistent, saved
to disk) usage.  On a successful import, a unique object path is
returned back to the caller.  This path can also get an alias name which
can be used instead.

When a user or the system wants to start a VPN tunnel, the client
application sends a NewTunnel method call to the session manager and
provides the configuration path or alias.  The session manager (which
also runs unprivileged) ensures a client process is started which have
root privileges.  This process takes the configuration path/alias and
sends a "FetchConfig" call to the configuration manager and gets all the
information it needs to setup the connection.


* The challenge
We want to have two kinds of configurations.  The first one is
accessible by all users; typically an global corporate configuration or
used on servers to connect to the VPN at boot or through other on-demand
services.  Those configurations typically does not contain any user
specific information, such as personalized authentication certificates.

The other configuration type is the "private" one.  That should only be
accessible by the same UID/GID whom imported the configuration.  If the
UID/GID doesn't match, it should get an Access Denied type of error.

In all this, we do not want to create/write a new D-Bus server
(GDBusServer), we want to connect to an existing and already running
D-Bus server daemon.


Currently I use g_bus_get_sync() to get access to the system bus and
when I call g_dbus_connection_get_peer_credentials () from the service
side, it returns NULL.  So I believe something needs to be flagged
correctly to provide that information.

My gut feeling tells me G_DBUS_CONNECTION_FLAGS_AUTHENTICATION_SERVER is
missing, but I don't see I can set that flag.  And that I should
probably need to look at g_dbus_connection_new_sync(), but then I'm
wondering where/how I can get the proper GIOStream.

I have also started looking at GDBusAuthObserver and the
"authentication-observer" signal, but I haven't figured out yet how to
couple that g_bus_get_sync(), if that is even possible.

I have also started to wonder if this should be handled by polkit as
well, but I haven't fully grasped the concept of how that could be done.
 Part of it would be the policies, which I don't quite understand how it
could check if the method caller to the D-Bus server could be matched
against a stored value inside the configuration manager.  So then some
of the authentication would need to be passed on from polkit to the
configuration manager.


Can someone please point me in the right directions?

Thanks in advance!


-- 
kind regards,

David Sommerseth


More information about the dbus mailing list